Bug#172957: marked as done (Incorrect handling of null bytes in unlikely situation)

Wed, 16 Apr 2008 16:14:31 -0700 

Your message dated Thu, 17 Apr 2008 00:07:01 +0100
with message-id <[EMAIL PROTECTED]>
and subject line teapop has been removed from Debian, closing #172957
has caused the Debian Bug report #172957,
regarding Incorrect handling of null bytes in unlikely situation
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
172957: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=172957
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message --- 
Package: teapop
Version: 0.3.4-1 (not installed)
Severity: normal

This code is probably not safe...

In teapop/pop_mbox.c:

void
pop_mbox_get_status(pinfo)
        POP_INFO *pinfo;
{
        char buf[1024], *ptr, *tmpstr;
        ...

        while (fgets(buf, sizeof(buf), pinfo->mbox)) {
        ...
                if (buf[strlen(buf)-1] == '\n')
                        curmsg->size++;
                else if (strlen(buf) != sizeof(buf))
                        buf[strlen(buf)] = '?';
                curmsg->size += strlen(buf);
                curmsg->realsize += strlen(buf);


buf[strlen(buf)] will contain the terminating '\0'. This code replaces
the terminating '\0' with a '?', possibly causing subsequent strlen()s
to go past the end of the buffer.

To trigger this, just have a mailbox file that doesn't have a newline 
immediately before the EOF.

There is similar code in teapop/pop_maildir.c

--- End Message ---
--- Begin Message --- 
Version: 0.3.7-4.2

The teapop package has been removed from Debian testing, unstable and
experimental, so I am now closing the bugs that were still opened
against it.

For more information about this package's removal, read
http://bugs.debian.org/474099 . That bug might give the reasons why
this package was removed, and suggestions of possible replacements.

Don't hesitate to reply to this mail if you have any question.

Thank you for your contribution to Debian.

--
Marco Rodrigues

http://Marco.Tondela.org

--- End Message ---

Reply via email to